The Hacker News — Cyber Security, Hacking, Technology News

Some websites have found using a simple yet effective technique to keep their cryptocurrency mining javascript secretly running in the background even when you close your web browser.

Due to the recent surge in cryptocurrency prices, hackers and even legitimate website administrators are increasingly using JavaScript-based cryptocurrency miners to monetize by levying the CPU power of their visitor's PC to mine Bitcoin or other cryptocurrencies.

After the world's most popular torrent download website, The Pirate Bay, caught secretly using Coinhive, a browser-based cryptocurrency miner service, on its site last month, thousands of other websites also started using the service as an alternative monetization model to banner ads.

However, websites using such crypto-miner services can mine cryptocurrencies as long as you're on their site. Once you close the browser window, they lost access to your processor and associated resources, which eventually stops mining.

Unfortunately, this is not the case anymore.

Security researchers from anti-malware provider Malwarebytes have found that some websites have discovered a clever trick to keep their cryptocurrency mining software running in the background even when you have closed the offending browser window.

How Does This Browser Technique Work?

According to a blog post published Wednesday morning by Malwarebytes, the new technique works by opening a hidden pop-under browser window that fits behind the taskbar and hides behind the clock on your Microsoft's Windows computer.

From there (hidden from your view), the website runs the crypto-miner code that indefinitely generates cryptocurrency for the person controlling the site while eating up CPU cycles and power from your computer until and unless you notice the window and close it.

Researchers say this technique is a lot harder to identify and able to bypass most ad-blockers because of how cleverly it hides itself. The crypto-miner runs from a crypto-mining engine hosted by Amazon Web Servers.

"This type of pop-under is designed to bypass adblockers and is a lot harder to identify because of how cleverly it hides itself," Jérôme Segura, Malwarebytes' Lead Malware Intelligence Analyst, says in the post. "Closing the browser using the "X" is no longer sufficient."

To keep itself unidentified, the code running in the hidden browser always takes care of the maximum CPU usage and maintains threshold to a medium level.

You can also have a look at the animated GIF image that shows how this clever trick works.

This technique works on the latest version of Google's Chrome web browser running on the most recent versions of Microsoft's Windows 7 and Windows 10.

How to Block Hidden Cryptocurrency Miners

If you suspect your computer CPU is running a little harder than usual, just look for any browser windows in the taskbar. If you find any browser icon there, your computer is running a crypto-miner. Now simply, kill it.

More technical users can run Task Manager on their computer to ensure there is no remnant running browser processes and terminate them.

Since web browsers themselves currently are not blocking cryptocurrency miners neither does the integrated Windows Defender antivirus software, you can use antivirus programs that automatically block cryptocurrency miners on web pages you visit.

For this, you can contact your antivirus provider to check if they do.

Alternatively, you can make use of web browser extensions, like No Coin, that automatically block in-browser cryptocurrency miners for you, and regularly update themselves with new mining scripts that come out.

Created by developer Rafael Keramidas, No Coin is an open source extension that blocks Coin Hive and other similar cryptocurrency miners and is available for Google Chrome, Mozilla Firefox, and Opera.

No Coin currently does not support Microsoft Edge, Apple Safari, and Internet Explorer. So, those using one of these browsers can use an antimalware program that blocks cryptocurrency miners.

Next time when someone sends you a photo of a cute cat or a hot chick on WhatsApp or Telegram then be careful before you click on the image to view — it might hack your account within seconds.

A new security vulnerability has recently been patched by two popular end-to-end encrypted messaging services — WhatsApp and Telegram — that could have allowed hackers to completely take over user account just by having a user simply click on a picture.

The hack only affected the browser-based versions of WhatsApp and Telegram, so users relying on the mobile apps are not vulnerable to the attack.

According to Checkpoint security researchers, the vulnerability resided in the way both messaging services process images and multimedia files without verifying that they might have hidden malicious code inside.

For exploiting the flaw, all an attacker needed to do was sending the malicious code hidden within an innocent-looking image. Once the victim clicked on the picture, the attacker could have gained full access to the victim’s WhatsApp or Telegram storage data.

This eventually allowed attackers to take full access to the user's account on any browser, view and manipulate chat sessions, access victim's personal and group chats, photos, videos, audios, other shared files and contact lists as well.

To make this attack widespread, the attacker can then send the malware-laden image to everyone on the victim's contact list, which could, eventually, mean that one hijacked account could be led to countless compromises by leapfrogging accounts.

Video Demonstration

The researchers also provided a video demonstration, given below which shows the attack in action.

Here's Why This Vulnerability Went Undetected:

Both WhatsApp and Telegram use end-to-end encryption for its messages to ensure that nobody, except the sender and the receiver, can read the messages in between.

However, this same end-to-end encryption security measure was also the source of this vulnerability.

Since the messages were encrypted on the side of the sender, WhatsApp and Telegram had no idea or a way of knowing, that malicious code was being sent to the receiver, and thus were unable to prevent the content from being running.

"Since messages were encrypted without being validated first, WhatsApp and Telegram were blind to the content, thus making them unable to prevent malicious content from being sent," the researchers writes in a blog post.

WhatsApp fixed the flaw within 24 hours on Thursday, March 8, while Telegram patched the issue on Monday.

Since the fixes have been applied on the server end, users don't have to update any app to protect themselves from the attack; instead, they just need a browser restart.

"It's a big vulnerability in a significant service," said Oded Vanunu, head of product vulnerability research at Check Point. "Thankfully, WhatsApp and Telegram responded quickly and responsibly to deploy the mitigation against exploitation of this issue in all web clients."

WhatsApp did not notice any abuse of the vulnerability, while Telegram claimed the flaw was less severe than WhatsApp, as it required the victim to right click on the image content and then open it in a new window or tab for the malicious code to run and exploit its users.

After fixing this flaw, content on the web versions of both WhatsApp and Telegram will now be validated before the end-to-end encryption comes into play, allowing malicious files to be blocked.

Just like most of you, I too really hate filling out web forms, especially on mobile devices.

To help make this whole process faster, Google Chrome and other major browsers offer "Autofill" feature that automatically fills out web form based on data you have previously entered in similar fields.

However, it turns out that an attacker can use this autofill feature against you and trick you into spilling your private information to hackers or malicious third parties.

Finnish web developer and whitehat hacker Viljami Kuosmanen published a demo on GitHub that shows how an attacker could take advantage of the autofill feature provided by most browsers, plugins, and tools such as Password Managers.

Although, this trick was first discovered by Ricardo Martin Rodriguez, Security Analyst at ElevenPaths, in the year 2013, but it seems Google haven't done anything to address weakness in Autofill feature.

The proof-of-concept demo website consists of a simple online web form with just two fields: Name and Email. But what's not visible are many hidden (out of sight) fields, including the phone number, organization, address, postal code, city, and country.

Giving away all your Personal Information Unknowingly

So, if users with an autofill profile configured in their browsers fill out this simple form and click on submit button, they'll send all the fields unaware of the fact that the six fields that are hidden to them but present on the page also get filled out and sent to unscrupulous phishers.

You can also test your browser and extension autofill feature using Kuosmanen's PoC site.

Kuosmanen can make this attack even worse by adding more personal fields out of user's sight, including the user's address, credit card number, expiration date, and CVV, although auto-filling financial data forms will trigger warnings on Chrome when sites do not offer HTTPS.

Kuosmanen attack works against a variety of major browsers and autofill tools, including Google Chrome, Apple Safari, Opera, and even the popular cloud security vault LastPass.

Mozilla's Firefox users do not need to worry about this particular attack as the browser currently, does not have a multi-box autofill system and forces users to select pre-fill data for each box manually.

Someone just found an iOS zero-day vulnerability that could allow an attacker to remotely hack your iPhone running the latest version of iOS, i.e. iOS 9.

Yes, an unknown group of hackers has sold a zero-day vulnerability to Zerodium, a startup by French-based company Vupen that Buys and Sells zero-day exploits.

And Guess what, in How much?

$1,000,000. Yes, $1 Million.

Last month, a Bug bounty challenge was announced by Zerodium for finding a hack that must allow an attacker to remotely compromise a non-jailbroken Apple device through:

A web page on Safari or Chrome browser,

In-app browsing action, or

Text message or MMS.

Zerodium's Founder Chaouki Bekrarconfirmed on Twitter that an unnamed group of hackers has won this $1 Million Bounty for sufficiently submitting a remote browser-based iOS 9.1/9.2b Jailbreak (untethered) Exploit.

NO More Fun. It's Serious Threat to iOS Users

For those who are not aware, this remote Jailbreak is not really cool.

Why? Because…

The only difference between a malicious cyber attack and Jailbreak is – Payload, the code that executes on target system after exploitation.

A traditional jailbreak process is usually used to deploy an alternative App Store, but in hands of Hackers or law enforcement agencies, the same exploit can allow them to install any app they want with full privileges i.e. Spyware, Malware or Surveillance software.

Moreover, We know that Zerodium's parent company Vupen develops hacking techniques based on those bugs and typically sells them to multiple government customers.

So, the chances are high that the firm will resell the newly discovered and undisclosed remote iOS zero-day jailbreak exploit to its clients, which are said to include Spy agencies, Governments, and Law enforcement agencies.

Your Turn, Apple…

Let's see how much time Apple security team will now take to find out this open zero-day bug in its software and close the doors before it gets too late.

Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!

Webmasters can track all your activities on the Internet – even if you have already cleared your browsing history and deleted all saved cookies.

A researcher demonstrated two unpatched flaws that can be exploited to track Millions of Internet users, allowing malicious website owners:

List Building: To compile a list of visited domains by users, even if they have cleared their browsing history

Tracking Cookies: To tag users with a tracking cookie that will persist even after they have deleted all cookies

These two Browser Fingerprinting techniques abuse HTTP Strict Transport Security (HSTS) and Content Security Policy– new security features already built into Mozilla Firefox and Google Chrome, and expected to make their ways to other mainstream browsers in near future.

WHAT IF, The Website owners turn these Security features against You?

A security researcher has proved exactly the same last weekend at Toorcon security conference in San Diego.

Yan Zhu, an independent security researcher, demonstrated how websites can abuse HSTS protections and Content Security Policy to track even the most paranoid user, allowing a website to sniff a user’s previously visited domains.

Yes, despite its obvious relation with 'Strictness' and 'Security', HTTP Strict Transport Security (HSTS) can be abused to keep track of you whenever you visit a website, even though it claims to keep your communication with that site more secure.

Hard to Believe?

Visit this web page http://zyan.scripts.mit.edu/sniffly/ yourself in Chrome, Firefox, or Opera and you will probably end up with an accurate list of websites you have and have not visited.

How Does Sniffly Work?

The exploit attempts to embed non-existent images from various HSTS-protected domains over HTTP.

Sniffly then uses JavaScript to detect whether or not your web browser can establish a secure connection with those websites.

If you have visited the HSTS website before, it will connect within few milliseconds. But, if it takes longer to connect, there's a chance that you have never visited the HSTS website before.

This browser fingerprinting technique is a simple method to sniff a quick list of which secure sites a user has and hasn't visited.

Video Demonstration

Zhu has developed thisproof-of-concept attack site, which she has dubbed Sniffly, to showcase her attack, and also posted its source code on GitHub. You can also watch the video of her presentation below.

Certificate Pinning Tracks You even after Deleting Cookies

Besides tracking browser history, Zhu also demonstrated how a website can track Google Chrome users even if they delete all cookies after every visit.

Instead of exploiting HSTS, the 'Supercookie' technique abuses weaknesses inHTTP public key pinning (HPKP), also known as Certificate Pinning.

HPKP is a security measure designed to protect users against certificate forgeries by allowing websites to specify which certificate authorities have issued valid certs for their websites, rather than accepting any one of the hundreds of built-in root certificates.

Sniffly can abuse the standard by pinning text that is unique to each visitor, thereby reading the text on subsequent visits and using the unique text it would use a browser cookie to track the site habits of a user.

Few Limitations

However, unlike a browser cookie, the certificate pin will remain intact even after the cookies are deleted.

The fingerprint-sniffing attack developed by the researcher, for instance, records only the domain and subdomains, instead of full URLs. Also, it only tracks visits to HSTS-protected sites for now.

Moreover, the results aren't accurate for people using the HTTPS Everywhere browser plugin, however, such shortcomings can likely be overcome with code modifications and refinements in the future.

Security researchers have uncovered a new piece of Adware that replaces your entire browser with a dangerous copy of Google Chrome, in a way that you will not notice any difference while browsing.

The new adware software, dubbed "eFast Browser," works by installing and running itself in place of Google Chrome

The adware does all kinds of malicious activities that we have seen quite often over the years:

Generates pop-up, coupon, pop-under and other similar ads on your screen

Placing other advertisements into your web pages

Redirects you to malicious websites containing bogus contents

Tracking your movements on the web to help nefarious marketers send more crap your way to generating revenue

Therefore, having eFast Browser installed on your machine may lead to serious privacy issues or even identity theft.

What's Nefariously Intriguing About this Adware?

The thing that makes this Adware different from others is that instead of taking control over your browser, eFast Browser uses a deceiving method of replacing your entire browser with a malicious copy of Chrome.

In a report published Malwarebytes detailed that the nefarious software attempts to delete Chrome and itself takes its place, allowing it to hijack several file associations including HTML, JPG, PDF, and GIF, as well as URLs associations including HTTP, HTTPS, and MAILTO.

The eFast Browser is based on Google's Chromium open-source software, so the browser maintains the look and feel of Google Chrome at first glance, tricking users into believing that they are using the legitimate Chrome browser.

The malicious software program then replaces any Chrome desktop website shortcuts with its own versions, showing a striking design resemblance with window and icons from Chrome.

"The installer for eFast also deletes all the shortcuts to Google Chrome on your taskbar and desktop," wrote Malwarebytes, "most likely hoping to confuse the user with their very similar icons."

What's more?

The eFast Browser is based on Google's Chromium open-source software, so the browser maintains the look and feel of Google Chrome at first glance, tricking users into believing that they are using the legitimate Chrome browser.

The malicious computer program comes from a company calling itself Clara Labs, who developed a slew of similar browsers under titles such as BoBrowser, Unico, and Tortuga.

How does eFast Browser Install itself in the First Place?

eFast Browser is just another Potentially Unwanted Program (PUP), according to PCrisk, which tries to get itself on your PC by burrowing itself into the free software installers from dubious sources on the web.

It's easier for malicious software to replace your browser than to infect it. This is due to Chrome's security against in-browser malware that cyber criminals are now overwriting the browser completely.

It is relatively easy to avoid installing eFast Browser and, fortunately, also relatively easy to uninstall if you have found it on your computer. You can follow the removal instructions detailed by PCRisk.

The Annual Pwn2Own Hacking Competition 2015 held in Vancouver is over and participants from all over the world nabbed $557,500 in bug bounties for 21 critical bugs in top four web browsers as well as Windows OS, Adobe Reader and Adobe Flash.

During the second and final day of this year’s hacking contest, the latest version of all the four major browsers including Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, and Apple Safari, were compromised by the two security researchers.

Sponsored by HP's Zero Day Initiative program, the Pwn2Own Hacking Competition ran two days at a security conference in Vancouver, Canada. The final highlights for Pwn2Own 2015 are quite impressive:

5 bugs in the Windows operating system

4 bugs in Internet Explorer 11

3 bugs in Mozilla Firefox

3 bugs in Adobe Reader

3 bugs in Adobe Flash

2 bugs in Apple Safari

1 bug in Google Chrome

$557,500 USD bounty paid out to researchers

The star of the show was South Korean security researcher Jung Hoon Lee, nicknamed "lokihardt," who worked alone and nabbed the single highest payout of the competition in the Pwn2Own history, an amazing bounty of $110,000 in just two minutes.

Lee was able to take down both stable and beta versions of Google Chrome browser by exploiting a buffer overflow race condition bug in the browser and nabbed $75,000 as bug bounty.

For this same bug, Lee also nabbed an extra $25,000 for gaining system access by targeting an information leak and a race condition in two Windows kernel drivers. To hack the beta version of Chrome, Google’s Project Zero rewarded Lee by an extra $10,000. So, he earned a grand total of $110,000.

"To put it another way, lokihardt earned roughly $916 a second for his two-minute demonstration," HP's security research team wrote in a blog post Thursday. "There are times when 'Wow' just isn't enough."

Earlier in the day, Lee also earned $65,000 for hacking the 64-bit Internet Explorer 11 with a time-of-check to time-of-use (TOCTOU) vulnerability that gained him read/write privileges on the browser. He used a sandbox escape via JavaScript injection to evade Windows defenses mechanism.

By using a use-after-free exploit and a separate sandbox escape, Lee also took down Apple's Safari browser. The hack earned him $50,000 and brought his total winnings to $225,000 from the contest.

An extremely critical vulnerability has recently been discovered in WebRTC (Web Real-Time Communication), an open-source standard that enables the browsers to make voice or video calls without needing any plug-ins.

AFFECTED PRODUCTS

Late last month, security researchers revealed a massive security flaw that enables website owner to easily see the real IP addresses of users through WebRTC, even if they are using a VPN or even PureVPN to mask their real IP addresses.

The security glitch affects WebRTC-supporting browsers such as Google Chrome and Mozilla Firefox, and appears to be limited to Windows operating system only, although users of Linux and Mac OS X are not affected by this vulnerability.

HOW DOES THE WebRTC FLAW WORKS

WebRTC allows requests to be made to STUN (Session Traversal Utilities for NAT) servers which return the "hidden" home IP-address as well as local network addresses for the system that is being used by the user.

The results of the requests can be accessed using JavaScript, but because they are made outside the normal XML/HTTP request procedure, they are not visible in the developer console. This means that the only requirement for this to work is WebRTC support in the browser and JavaScript.

CHECK YOURSELF NOW

A demonstration published by developer Daniel Roesler on GitHub allows people to check if they are affected by the security glitch.

Also, you can go through the following steps in order to check if you're affected:

If you came across any suspicious Facebook message with ‘LOL’ text or a fake Image file send by any of your Facebook friend, avoid clicking it. A Trojan horse is currently circulating in wild through the Facebook social network that could steal your Facebook account data and Credentials.

Security researchers spotted this malware campaign first in the beginning of March this year, where the Trojan spreads itself through the Facebook’s Messenger service (inbox) by messaging a victim pretending to be one of their friends saying "LOL" with a zip file attached, which appears to be a photo, named "IMG_xxxx.zip".

In Past two weeks, many of our readers informed us that they received similar ZIP files from their trusted Facebook friends. The Hacker News team also noticed that despite after several warnings in media, once again the malware campaign just goes viral like any other video scam, but this time directly through users’ inbox-to-inbox.

HOW DOES TROJAN CAMPAIGN SPREADS

Facebook User receives a file directly into the inbox from one of the trusted friends, appears to be a photo, named 'IMG_xxxx.zip' with messages ‘LOL’, OMG,"Have a look at this" ,"I can't believe someone posted this"

The User downloads the file, assuming it to be from trusted friend and unzip it on desktop.

The Zip file contains a jar file called 'IMG_xxxx.jar' which executes when the user click it.

The Jar file itself is not a virus, but a malware agent, which actually download a file remotely from a pre-defined Dropbox account (as shown in the code).

Once downloaded, it installs the malware as a service on the victim's system.

Then it spread itself further to his Facebook Friends by sending similar malicious message automatically in the background.

To evade detection, the malware injects itself into legitimate processes currently running on the victims’ system. This way the malware campaign is spreading like a chain reaction rapidly from last few weeks.

ARE YOU AFFECTED?

To check if you have fall a victim to this attack and have opened any such file sent by your trusted friend, scan your whole system using a reputed antivirus solution and just to be on a safer side change your Facebook account password.

Researchers found the malware as a variant of the Zusy Trojan, which operates by hooking into web browsers in order to steal credit card number or password and send it to the remote malware author.

HOW TO PROTECT?

Before opening any such file, ask the sender if the file is prior to download or not. If they deny, Simply DO NOT DOWNLOAD it.

Cyber criminals have discovered yet another method to utilize the world’s most popular social networks for their own beneficial purposes, and because Facebook has become one of the most popular social networking website with more than one billion active users this year, it serves as a vast platform for scammers and cyber criminals to spread malware or virus infections. So, protect yourself from the threats - Stay Tuned to 'The Hacker News'.

THN Deals Store this week brings you the Cybersecurity Certification Mega Bundle, which will walk you through the skills and concepts you need to master three elite cybersecurity certification exams: CISA, CISM, and CISSP [...]

Visiting a website certified with an SSL certificate doesn’t mean that the website is not bogus. Secure Sockets Layer (SSL) protect the web users in two ways, it uses public key encryption to encrypt sensitive information between a user’s computer and a website, such as usernames, passwords, or credit card numbers and also verify the identity of websites.

Today hackers and cyber criminals are using every tantrum to steal users’ credentials and other sensitive data by injecting fake SSL certificates to the bogus websites impersonating Social media, e-commerce, and financial websites as well.

DETECTING FAKE DIGITAL CERTIFICATES WIDELY

A Group of researchers, Lin-Shung Huang , Alex Ricey , Erling Ellingseny and Collin Jackson, from the Carnegie Mellon University in collaboration with Facebook have analyzed [PDF] more than 3 million SSL connections and found strong evidence that at least 6;845 (0:2%) of them were in fact tampered with forged certiﬁcates i.e. self-signed digital certificates that aren’t authorized by the legitimate website owners, but will be accepted as valid by most browsers.

They utilized the widely-supported Flash Player plug-in to enable socket functionality and implemented a partial SSL handshake on our own to capture forged certiﬁcates and deployed this detection mechanism on an Alexa top 10 website, Facebook, which terminates connections through a diverse set of network operators across the world.

Generally Modern web browsers display a warning message when encountering errors during SSL certiﬁcate validation, but warning page still allows users to proceed over a potentially insecure connection.

Fake SSL connections can argue that certiﬁcate warnings are mostly caused by server mis-conﬁgurations. According to usability survey, many users actually ignore SSL certiﬁcate warnings and trusting forged certificates could make them vulnerable to the simplest SSL interception attacks.

This means that a potential hacker can successfully impersonate any website, even for secure connections i.e. HTTPS, to perform an SSL ma-in-the-middle attack in order to intercept encrypted connections.

FAKE DIGITAL CERTIFICATES SIGNED WITH STOLEN KEYS FROM ANTIVIRUS

Researchers observed most of the forged SSL certiﬁcate are using same name as original Digital Certificate issuer organizations, such as VeriSign, Comodo.

Some Antivirus software such as Bitdefender, ESET, BullGuard, Kaspersky Lab, Nordnet, DefenderPro etc., has ability to intercept/Scan SSL connection on Clients’ system in order to defend their users from Fake SSL connections. These Antivirus products generate their own certiﬁcates that would be less alarming than other Self-signed digital certificates.

"One should be wary of professional attackers that might be capable of stealing the private key of the signing certificates from antivirus vendors, which may essentially allow them to spy on the antivirus users (since the antivirus root certificate would be trusted by the client)," the researchers explained. "Hypothetically, governments could also compel antivirus vendors to hand over their signing keys."

Similar capabilities are observed in various Firewall, Parental Control Software and adware software those could be compromised by hackers in order to generate valid, but fake digital certificates.

DIGITAL CERTIFICATES GENERATED BY MALWARE

Researchers also noticed another interesting self-signed digital certificate, named as ‘IopFailZeroAccessCreate’, which was generated by some malware on client-end systems and using same name as trusted Certificate issuer “VeriSign Class 4 Public Primary CA.”

“These variants provide clear evidence that attackers in the wild are generating certiﬁcates with forged issuer attributes, and even increased their sophistication during the time frame of our study,” they said.

Detected statistics shows that the clients infected with same malware serving ‘IopFailZeroAccessCreate’ bogus digital certificates were widespread across 45 different countries, including Mexico, Argentina and the United States.

Malware researchers at Facebook, in collaboration with the Microsoft Security Essentials team, were able to conﬁrm these suspicions and identify the speciﬁc malware family responsible for this attack.

DETECTION AND ATTACK MIGRATION TECHNIQUES

Attackers may also restrict Flash-based sockets by blocking Flash socket policy traffic on port 843 or can avoid intercepting SSL connections made by the Flash Player in order to bypass detection techniques used by the researchers. To counter this, websites could possibly serve socket policy ﬁles over ﬁrewall-friendly ports (80 or 443), by multiplexing web trafﬁc and socket policy requests on their servers.

In Addition, researchers have discussed migration techniques in the paper such as HTTP Strict Transport Security (HSTS), Public Key Pinning Extension for HTTP (HPKP), TLS Origin-Bound Certiﬁcates (TLS-OBC), Certiﬁcate Validation with Notaries and DNS-based Authentication of Named Entities (DANE), those could be used by servers to enforce HTTPS and validate digital certificates.

HOW TO REMOVE MALWARE

If you are also infected by any similar malware, please follow below given steps to remove it:

A Free Chrome, Firefox and Safari web browser plugin floating around the web, called 'Sell Hack' allows users to view the hidden email address of any LinkedIn user, means anyone can grab email addresses that we use for professional purposes.

When installed, the 'Sell Hack' plugin will pop up a 'Hack In' button on LinkedIn profiles and further automatically mines email addresses of LinkedIn users.

NOT A SECURITY BREACH

It's not a Security breach, LinkedIn has confirmed that no LinkedIn data has been compromised, but rather this free extension rely on an algorithm that checks publicly available data in order to guess users’ email addresses.

So without exploiting any loophole or vulnerability, Sell Hack is capable of predicting users' email addresses with OSINT (Open-Source Intelligence) techniques i.e. information collected from publicly available sources.

It is also possible that, the Sell Hack extension is gathering data from users who have installed it, allows plugin to watch your activity on the site and collect the information of any direct connection whose page you've decided to visit; so this way Sell Hack can cross-serve the collected data to other users.

LinkedIn users who have downloaded Sell Hack should uninstall it immediately, "LinkedIn members who downloaded Sell Hack should uninstall it immediately and contact Sell Hack requesting that their data be deleted." LinkedIn officials warned.

LINKEDIN IS NOT HAPPY

The Professional Social Network giant LinkedIn has decided to take legal action and publicly criticised Sell Hack in statements. LinkedIn pulled SellHack Team to the door of judiciary for disclosing the email IDs of users to the un-connected users.

"We are doing everything we can to shut Sell Hack down. On 31 March LinkedIn's legal team delivered Sell Hack a cease-and-desist letter as a result of several violations," a LinkedIn spokesman said.

IS IT LEGAL?

The Developers Sell Hack tool explained, “The data we process is all publicly available. We just do the heavy lifting and complicated computing to save you time. We aren't doing anything malicious to a Social website. We think browser extensions are the best way to personalize an individual's web experience.”

On their website, Sell Hack answered, How does it work? "If we don't received a validation response, we'll present a 'copy all' button to copy & paste the list for your own uses: i.e. check your own data sources or BCC email the entire list etc." that Means, if service will not be able to guess the user's email address, it will ask you to enter your emails database for further match-search.

SOLUTION

Two days back LinkedIn has sent a cease-and-desist notice to Sell Hack for violating the LinkedIn Terms of Service and as a result the SellHack extension is no more working on the LinkedIn pages. "SellHack plugin no longer works on LinkedIn pages," developers stated.

The Picture appears to be uploaded by a friend and definitely, you might want to see some of your Facebook friends naked, But Beware! If you get curious and click, you will be redirected to a malicious website reports that your Flash Player is not working properly and needs to be re-installed.

But in actuality it will install a malware in your system and once approved, several disguised thing can happen to you. It further installs a malicious browser extension to spread the scam and steal users’ photos.

"When the link is clicked, users are sent to a very realistic-looking mockup of a YouTube page, where the hackers will try to immediately install the Malware Trojan." wltx reports.

So, Don't Click it! According to the report, 2 million Facebook users are already infected with the same malware campaign and unknowingly flood their friend's timeline will same campaign. Clicking on the message will automatically publish the same link on the victims Facebook wall potentially allowing friends to click on it.

Malware often takes advantage of the fact that you trust your friends. So, keep an eye on the links and messages from your friends, and if in doubt, ask them they actually sent you something or not.

The recent malware attacks are just a few examples of the dangers of using the social network Facebook. Stay safe by keeping your browser up-to-date and install operating system updates when they are released. Please ensure you share this news with your Facebook friends to make all of them aware of it.

GOOGLE, one of the most trusted brands continuously trying to keep its products more robust and secure for keeping its users safe.

Google honors vulnerability hunters under its Bug bounty program and not only that, the company also offer a huge amount of reward to hackers in 'Pwnium' hacking competition for finding critical vulnerability.

Google Chrome, Browser from Google product family, has been added with a new feature that it will warn the user whenever browser’s setting get altered by any malware.

Browser hijacking is the modification of browser's settings, and the term "hijacking" is used when the changes performed without the user's permission. A browser hijacker may replace the existing home page, error page, or search page with its own. These are generally used to force hits to a particular website, increasing its advertising revenue i.e. Click jacking and Adware.

A hijacker uses malicious software to change your internet security and registry settings to gain control over what and how your browser displays web content.

"So, you're trying to download a free screensaver or a game or something else you really want. But later you find out that the game came bundled with a malicious program that's trying to hijack your browser settings. You're not the only one having this problem, in fact, it's an issue that's continuing to grow at an alarming rate," Google said on its official blog.

Browser Hijacking is one of the top issues reported on browser forum. But from now, Windows chrome users will be prompted to reset the browser setting to factory default if the browser senses any sort of hijacking.

Users are free to opt whether to choose Reset and skip the option prompted based on their settings. The feature of the resetting chrome browser is not new, you can manually reset all the settings, plugins, and extensions to the default factory setting just by:

chrome://settings > Show Advanced Settings > 'Reset browser Setting'

Once you reset the browser, it’ll disable all extension, theme or app you would have installed on it. You can enable apps manually visiting chrome://extensions/ page. You may require restarting the browser for enjoying enabled apps.

Browser extensions are extra features and functionality that you can easily add to Google Chrome, Firefox and other popular Browsers, but they can be used to serve malicious adware, which automatically renders advertisements in order to generate revenue for its author.

Hackers are now taking their business rather more seriously than we thought. Even a single instance of malicious adware on your PC can inject bad ads or malware to your browser.

Ads are a legitimate way to monetize. However, creating and spreading a fresh add-on to get a large user base is always tough, but now adware companies found a new trick i.e. Buying trusted browser extensions with a large user-base and exploiting their auto-update status to push out adware.

Recently, the developer of ‘Add to Feedly’ Chrome extension with 30,000+ users, Amit Agarwal, was approached by some mysterious buyers. “It was a 4-figure offer for something that had taken an hour to create and I agreed to the deal,” he said.

"I transferred the ownership of the extension to a particular Google Account. A month later, the new owners of the Feedly extension pushed an update to the Chrome store. No, the update didn’t bring any new features to the table, nor contained any bug fixes. Instead, they incorporated advertising into the extension."

Google updates chrome extensions silently in the background, and majority of the users would not be able to notice the changes. But when Google Chrome is affected by adware, you may experience frequent pop-up ads and redirection to malicious domains.

"These aren’t regular banner ads that you see on web pages, these are invisible ads that work the background and replace links on every website that you visit into affiliate links."

Ad injections are not in violation of the Chrome Web Store program policies, but it must be presented in the context of the extension or, when present within another page, ads must be outside the page's normal flow and clearly state which extension they are bundled with.

After reviewing Amit's extension, now Google has finally removed it from the Chrome web store. If your browser is also infected with Adware or any other type of malicious software, check your browser add-ons and extensions regularly, disabling those you don’t use and those that look suspicious.

After the revelations from NSA internal documents leaked by Edward Snowden, the world knows the NSA as the Real Techie Gangster of this 21st Century, with the ability to brutally infiltrate every kind of electronic device, the Internet, and global communications.

"It is becoming increasingly difficult to trust the privacy properties of software and services we rely on to use the Internet. Governments, companies, groups and individuals may be surveilling us without our knowledge. " The Inventor of JavaScript & current CTO of Mozilla, Mr. Brendan Eich said in a blog post

NSA is not just focused on high-tech exploits, but also specialize in inserting secret backdoor to legitimate products. Its Tailored Access Operations (TAO) unit works with the CIA and FBI to intercept shipments of hardware to insert spyware into the devices. This way NSA is able to keep an eye on all levels of our digital lives, from computing centers to individual computers, and from laptops to mobile phones.

It really trouble us when the Government itself force the service providers to Insert backdoors for the purpose of surveillance and made them maintain silence due to gag orders. So, on what users rely on?

Most probability the best option left is - Open Source. Brendan Eich suggested not to blindly trust any software vendors, where the products are not Open Source. Because at the end of the day most big companies must comply with the law.

"Mozilla has one critical advantage over all other browser vendors. Our products are truly open source" he said. "Every major browser today is distributed by an organization within reach of surveillance laws."

Now what if the law force the vendors to secretly violate their own principles to do things they don’t want to do. The vendors itself are compromising their goodwill and End-to-End trust, and are becoming the part of users' furry.

We all know that Microsoft's Internet Explorer is fully closed-source software and Safari, Chrome browsers are using open-source rendering engines or WebKits, but still they are not fully open-source and contain significant fractions of closed-source code.

Where on the other hand, Firefox is completely open source, which means its source code is available to everyone and anybody can verify it and can detect flaws.

Anyone can verify the official Firefox executable (available on the website for download) by comparing it with the compiled executable version from the original source code (also available for download).

"Through international collaboration of independent entities we can give users the confidence that Firefox cannot be subverted without the world noticing, and offer a browser that verifiable meets users’ privacy expectations." He said.

There's a lot of argument about whether the NSA's tactics have actually prevented much terrorism or otherwise aided the security of the United States only, but Security Guru, Bruce Schneier said, "If we can't trust either our government or the corporations that have intimate access into so much of our lives, society suffers."

Just like other Web Browsers, The Google Chrome also offers a password manager feature that can save your logins and basic information for automatic form-filling.

The Google Chrome browser stores all your passwords in the plain text format and is available for access by opening the following URL in your Chrome browser – “chrome://settings/passwords”. Unlike Firefox, till now Google Chrome was not offering any Master Protection.

Finally Google has implemented a Master Password protection on Chrome password manager in Windows and Mac. Now you have to enter your Windows account password to reveal the saved passwords. The protection will be lifted for a minute, after entering the password, and after that user need to re-login.

Previously, Google was criticized many times for such bad password storage Practice because there is no master password, no security, not even a prompt that “these passwords are visible” and this allows anyone with access to a user's computer to see all the stored passwords directly from the settings panel.

But what if there is no Windows account password ? I have tested this and you are guessing right.. AGAIN A BUGGY feature, no password window will prompt to access saved passwords.

While this new feature is not yet available in the stable version of Chrome, but its inclusion in the latest Chromium builds for Windows and Mac suggests that it will be added soon to the stable version of Chrome.

I hope, Google will allow a user to set its own different Master password for Chrome to make it hack-proof.

Browser-based botnets are the T-1000s of the DDoS world. Just like the iconic villain of the old Judgment Day movie, they too are designed for adaptive infiltration. This is what makes them so dangerous. Where other more primitive bots would try to brute-force your defenses, these bots can simply mimic their way through the front gate.

By the time you notice that something`s wrong, your perimeter has already been breached, your servers were brought down, and there is little left to do but to hang up and move on.

So how do you flush out a T-1000? How do you tell a browser-based bot from a real person using a real browser? Some common bot filtering methods, which usually rely on sets of Progressive Challenges, are absolutely useless against bots that can retain cookies and execute JavaScripts.

The alternative to indiscriminately flashing CAPTCHA’s for anyone with a browser is nothing less than a self-inflicted disaster - especially when the attacks can go on for weeks at a time.

To demonstrate how these attacks can be stopped, here's a case study of an actual DDoS event involving such browsers; an attack which employed a swarm of human-like bots which would – under most circumstances - result in a complete and total disaster.

Browser-based Botnet: Attack Methodology

The attack was executed by an unidentified botnet, which employed browser-based bots that were able to retain cookies and execute JavaScript. Early in the attack they were identified as PhantomJS headless-browsers.

PhantomJSis a development tool that uses a bare-bone (or "headless") browser, providing its users with full browsing capabilities but no user interface, no buttons, no address bar, etc. PhantomJS’s can be used for automation and load monitoring.

The attack lasted for over 150 hours, during which we recorded malicious visits from over 180,000 attacking IPs worldwide. In terms of volumes, the attack peaked at 6,000 hits/second for an average of +690,000,000 hits a day. The number of attacking IPs, as well as their geographical variety, led us to believe that this might have been a coordinated effort, involving more than one botnet at a time.

More than one Botnet?

Throughout the duration of the attack we dealt with 861 different user-agent variants as the attackers constantly modified the header structure to try and evade our defenses. Most commonly, the attackers were using different variants of Chrome, Opera and FireFox user-agents.

Most active attacking IPs.

It is interesting to note that, besides using human-like bots, the attackers also made an effort to mimic human behavior, presumably to avoid behavior-based security rules. To that end, the attackers leveraged the number of available IP addressed to split the load in a way that would not trigger rate-limiting. At the same time, by constantly introducing new IPs, the attackers made sure that the IP restriction would be just as ineffective. The bots were also programmed for human-like browsing patterns; accessing the sites from different landing pages and moving through them at a random pace and varied patterns, before converging on the target resource.

Methods of Mitigation

Incapsula’s Layer 7 security perimeter uses a combination of filtering methods, which create several defensive layers around the protected website or web application.

In this case the nature of the attacking bots allowed them to successfully bypass Progressive Challenges. As mentioned, the botnet’s shepherds also went to great length to evade our Abnormality Detection mechanisms, which they were able to do – at least to some extent.

However, by using a known headless-browser, the attackers left themselves open to detection by our Client Classification mechanism, which – interestingly enough – uses the same technology as our free plan 'Bot Filtering' feature.

Our Client Classification algorithms rely on a crowd-sourced pool of known signatures, consisting of information gathered from across our network. At the time of the attack, the signature pool held over 10,000,000 signature variants, each of them containing an information about:

User-agent

IPs and ASN info

HTTP Headers

JavaScript footprint

Cookie/Protocol support variations

In the context of browser-based visitors, this means that we are looking not only at the more apparent factors (like user-agent or their correlation to origin IPs), but also at the intricate nuances that exist within each browser.

Security is a closed hand game, so it would be hard to explain this without exposing some of our methods. Still, to provide some context, we can say that (on the low end) this means looking at minor differences in the way browsers handle encoding, respond to specific attributes, etc. For example, we can learn about our visitors from the way their browser handles HTTP Headers with double spacing or special characters.

The point is, our database holds tens of thousands of variants for each known browser or bot, to cover all possible scenarios (e.g., browsing using different desktop or handheld devices, going through proxies, etc.). Best of all, in this case, the attacker's weapon of choice - the PhantomJS webkit - is one of those signatures.

Fortune favors the prepared

And so, while the attacker were ducking and diving to make their bots look like humans, all our team really had to do was to let our system discover the type of headless-browsers they were using. From there it was a simple task of blocking all PhantomJS instances. We even left a redemption option, offering the visitors to fill a CAPTCHA, just in case any of them were real human visitors.

Not surprisingly, no such CAPTCHAs were filled.

1 DDoS blocked.

Aftermath

The attacks continued past the point of mitigation. Days later, after we switched to auto-pilot, the attackers were still trying to come at us with new user-agents and new IPs, obviously oblivious to the real reason for their blockage. However, for all their T-1000s-like relentlessness, they were already iced. Their cover was blown and their methods, signatures and patterns were internally recorded for future reference.